Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Transcription

1 Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1

2 Agenda Part 1: Introduction Why is Forward Secrecy important? Technology Overview RSA Algorithm Diffie-Hellman Performance Impact Increasing adoption of Forward Secrecy Part 2: Deep Dive RSA Algorithm Diffie-Hellman Elliptic Curve Cryptography (ECC) Implementing Forward Secrecy 2

3 What s the problem? 3

4 Why is Forward Secrecy important? Using typical HTTPS implementations based on RSA, an adversary could record encrypted data and decrypt it later if they gain access to the relevant private key(s) Using Forward Secrecy this approach is impossible 4

5 Review of SSL/TLS FUNCTION Authentication Key Exchange/Agreement Encryption Algorithm Hashing Algorithm Examples RSA DSA RSA Diffie-Hellman RC4 AES MD5 SHA-1 5

6 RSA is the problem Ron Rivest, Adi Shamir, and Len Adleman released the Rivest- Shamir-Adleman (RSA) public key algorithm in This algorithm can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. 6

7 SSL Handshake Process RSA Browser requests web server identity Client Hello Challenge string Server Supported sends cipher a copy suites of its SSL certificate Server Hello Certificate (includes public key) Browser Confirmed checks cipher the suite SSL certificate and sends encrypted session key Master Key Encrypted with server public key Server sends an acknowledgement Server Verify Encrypted challenge string Encrypted Data SYMANTEC VISION

8 RSA key exchange During the SSL handshake, the client receives the server s certificate This includes the server s public key Using RSA, the HTTPS session key is encrypted by the client using the server s public key and sent to the server across the network The server decrypts the session key using the corresponding private key RSA is vulnerable if the private key is discovered 8

9 Diffie-Hellman is the Solution The Diffie-Hellman algorithm was invented in 1976 by Whitfield Diffie and Martin Hellman (US patent 4,200,770). The Diffie-Hellman algorithm is not for encryption or decryption but it enables two parties who are involved in communication to generate a shared secret key for exchanging information confidentially. They can do this even when an eavesdropper listens in on their entire conversation. Whitfield 'Whit' Diffie Martin Hellman 9

10 SSL Handshake Process Diffie-Hellman Browser requests web server identity Client Hello Challenge string Server Supported sends cipher a copy suites of its SSL certificate Server Hello Certificate Browser Confirmed checks cipher the suite SSL certificate and Server key sends info confirmation Key Agreement Client key info Server sends an acknowledgement Server Verify Encrypted challenge string Encrypted Data SYMANTEC VISION

11 Diffie-Hellman key agreement Using Diffie-Hellman key agreement, client and server agree a session key without ever sending the key across the network Diffie-Hellman can be used to enable Forward Secrecy 11

12 What is Perfect Forward Secrecy? Forward Secrecy uses Diffie-Hellman to generate a key for each session Perfect Forward Secrecy enhances Forward Secrecy by continuously changing the key material during each session generating a new key for each message of a conversation 12

13 Where is Forward Secrecy Implemented? As of January 2014, 5% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to web browsers* * SSL Pulse (January 03, 2014) 13

14 Are You Using Forward Secrecy? Let s See 14

15 Are You Using Forward Secrecy? 15

16 Implementing Forward Secrecy Or can you? 16

17 How do you implement Forward Secrecy? Diffie-Hellman Key Exchange (DHE) has a significant CPU overhead compared to RSA Elliptic Curve Diffie- Hellman (ECDHE) has minimal CPU overhead compared to RSA Source: Bernat 17

18 Elliptic Curve Cryptography Overview ECC 1 Stronger Encryption 2 Efficient Performance 3 Highly Scalable 4 Future of Crypto Tech Shorter key than RSA 256-bit ECC = 3072-bit RSA 10k times harder to crack than RSA 2048 Meets NIST recommendations Efficiency increases with higher server loads Utilizes less server CPU PC s: Faster page load time Ideal for mobile devices Large SSL deployments w/out additional hardware Securing the enterprise: Use fewer resources Lower costs Viable for many years Built for Internet of Things Supports billions of new devices coming online Ideal for Open Networks Truly future proof trust infrastructure in place 18

19 Implementing Forward Secrecy Source: Huang, Adhikarla, Boneh, Jackson 19

20 Implementing Forward Secrecy Source: Huang, Adhikarla, Boneh, Jackson 20

21 Implementing Forward Secrecy Use Diffie-Hellman key agreement for Forward Secrecy Use Elliptic Curve Cryptography for Performance ECC 21

22 Technical Overview What is the RSA Algorithm? What is Diffie-Hellman? What is Elliptic Curve Cryptography (ECC)? 23

23 RSA key exchange During the SSL handshake, the client receives the server s certificate This includes the server s public key Using RSA, the HTTPS session key is encrypted by the client using the server s public key and sent to the server across the network The server decrypts the session key using the corresponding private key RSA is vulnerable if the private key is discovered 24

24 RSA Encryption & Decryption Example Public key: n=33 e=3 Formula: y=x e mod n Encryption using public key Plaintext Binary plaintext we attack at dawn Groups of 5 bits Decimal plaintext (x) x 3 Decimal ciphertext y = x 3 mod Binary ciphertext Ciphertext org^zplvnwk>?@qd 25

25 RSA Encryption & Decryption Example Decryption using private key Ciphertext Private key: n=33 d=7 Formula: x=y d mod n org^zplvnwk>?@qd Binary ciphertext Decimal ciphertext y y 7 Decimal plaintext x = y 7 mod 33 Groups of 5 bits Binary plaintext Plaintext we attack at dawn 26

26 RSA Encryption & Decryption Exercise Choose a number 1 < x < 33 Encrypt x with RSA using the public key n=33, e=13 Decrypt the encrypted number using the private key n=33, d=17 Check if the decrypted number equals the original number Encryption Decryption y=x e mod n x=y d mod n Modular Arithmetic (MOD Operation) Modular arithmetic is related to that of the remainder in division. The operation of finding the remainder is sometimes referred to as the modulo operation, for example 14 (mod 12) = 2. 27

27 Why is RSA Secure? e p x q = n Large prime numbers Public Key Private Key d = Function of p q e Hard Problem: To calculate d from n & e, you must find the prime factors of n What are the prime factors of 6499? What is 67 x 97? 28

28 How secure is RSA? Asymmetric Key Length Key Space Equivalent Symmetric Key Length 768 bits bits 1024 bits bits 2048 bits bits 3072 bits bits 29

29 Diffie-Hellman key agreement Using Diffie-Hellman key agreement, client and server agree a session key without ever sending the key across the network Diffie-Hellman can be used to enable Forward Secrecy 30

30 Diffie-Hellman Key Exchange Algorithm Example Formula y = g x mod n Public Parameters Prime modulus: n=31 Primitive element: g=3 A Random value a=8 A = g a mod n = 3 8 mod 31 = 20 Random value b=6 B = g b mod n = 3 6 mod 31 = 16 B B=16 A=20 S = B a mod n = 16 8 mod 31 = 4 Shared Secret Key (S) is the same g ab mod n = g ba mod n S = A b mod n = 20 6 mod 31 = 4 31

31 Diffie-Hellman Key Exchange Exercise Choose a number 1 < x < 20 Encrypt x with Diffie-Hellman using the public parameters n=31, g=3 Exchange the encrypted number y with your neighbour Calculate the shared key (S) using your neighbour s encrypted number (y) and your number (x) Check with your neighbour if your values for S are the same Encryption Shared Key y=g x mod n S=y x mod n Modular Arithmetic (MOD Operation) Modular arithmetic is related to that of the remainder in division. The operation of finding the remainder is sometimes referred to as the modulo operation, for example 14 (mod 12) = 2. 32

32 TLS 1.2 Key Exchange Mechanisms RFC 5246 Mechanism Method Server public key RSA RSA RSA RSA DH_RSA Diffie-Hellman Diffie-Hellman RSA DH_DSS Diffie-Hellman Diffie-Hellman DSA DHE_RSA Ephemeral Diffie-Hellman RSA Any DHE_DSS Ephemeral Diffie-Hellman DSA Any Certificate signature DH_anon Diffie-Hellman None None Forward Secrecy 33

33 Elliptic Curves An elliptic curve is a plane curve defined by an equation of the form: y 2 x 3 ax b Examples: 34

34 Elliptic Curve Cryptography (ECC) Adding 2 points on a curve produces another point on the curve Adding a point to itself produces another point on the curve If we add a point P to itself d times we end up with Q, another point on the curve Digital Privacy: AOSSL & PFS SYMANTEC VISION

35 Elliptic Curve Cryptography (ECC) Elliptic curves can be used to construct a public key cryptography system The private key d is randomly selected from [1,n-1], where n is integer Then the public key Q is computed by dp, where P,Q are points on the elliptic curve Like the conventional cryptosystems, once the key pair (d, Q) is generated, a variety of cryptosystems such as signature, encryption/decryption and key management can be set up 36

36 Recommended Key Sizes Symmetric Key Size (bits) RSA and Diffie- Hellman Key Size (bits) Elliptic Curve Key Size (bits)

37 Elliptic Curve Diffie-Hellman Example Alice and Bob make a key agreement over the following prime, curve, and point: p=3851, E:y 2 =x x+1287, P=(920,303) E(F 3851 ) Alice chooses the private key d A =1194, computes Q A =1194P=(2067,2178) E(F 3851 ), and sends it to Bob Bob chooses the private key d B =1759, computes Q B =1759P=(3684,3125) E(F 3851 ), and sends it to Alice Alice computes d A Q B =1194(3684,3125)=(3347,1242) E(F 3851 ) Bob computes d B Q A =1759(2067,2178)=(3347,1242) E(F 3851 ) 38

38 ECC Key Exchange Mechanisms RFC 4492 Mechanism Method Server public key Certificate signature ECDH_RSA ECDH_ECDSA ECDHE_RSA ECDHE_ECDSA ECDH_anon Elliptic Curve Diffie- Hellman Elliptic Curve Diffie- Hellman Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman Elliptic Curve Diffie-Hellman Elliptic Curve Diffie-Hellman RSA ECDSA None RSA ECDSA Any Any None Forward Secrecy ECC Certificate 39

39 ECC Certificate Example Key Exchange Using ECDHE_ECDSA 40

40 Summary Implementing Forward Secrecy Put ECDHE and DHE methods at top of server priority list Install ECDSA certificates Mechanism Method Certificate Performance DHE_RSA Ephemeral Diffie-Hellman RSA DHE_DSS Ephemeral Diffie-Hellman DSA ECDHE_RSA ECDHE_ECDSA Ephemeral Elliptic Curve Diffie-Hellman Ephemeral Elliptic Curve Diffie-Hellman RSA ECDSA * * ** *** 41

41 Use Symantec ECC Certificates to enable Forward Secrecy An ECC certificate is included at no additional cost with all Symantec Premium SSL certificates Symantec s ECC certificate roots have been in place for over five years: You can be confident that your ECC certificate will work throughout your ecosystem 42

42 Useful References Diffie Hellman Key Agreement Method RSA: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" Communications of the ACM 21 (2): RFC4492 Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) FIPS Digital Signature Standard (DSS) 43

43 Useful Links Forward Secrecy at Twitter: SSL Labs: Deploying Forward Secrecy: ssl-labs-deploying-forward-secrecy Symantec DSA / ECC FAQ: ocale=en_us&searchid= A (relatively easy to understand) primer on elliptic curve cryptography: 44

44 A Final Note. Public key cryptography was first discovered by American geeks. Right? Wrong. The Open Secret: rypto_pr.html The Alternative History of Public-Key Cryptography: Clifford Cocks & James Ellis:

45 Thank you! YOUR FEEDBACK IS VALUABLE TO US! Please take a few minutes to fill out the short session survey available on the mobile app the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via a few days after the conference. To download the app, go to or search for Vision 2014 in the itunes or Android stores. 46